solr添加kerberos认证及授权
@(OTHERS)[solr]
一、kerberos
(一)添加用户
在kdc中添加solr用户:
root@kdc:/# kadmin.local
kadmin.local: addprinc HTTP/192.168.0.107
kadmin.local: ktadd -k /tmp/107.keytab HTTP/192.168.0.107
kadmin.local: quit
(二)创建security.json
server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:2181 -cmd put
/security.json '{"authentication":{"class":
"org.apache.solr.security.KerberosPlugin"}}'
或者以文件的形式上传
(三)创建jaas文件
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/keytabs/107.keytab"
storeKey=true
useTicketCache=true
debug=true
principal="HTTP/192.168.0.107@EXAMPLE.COM";
};
放到哪里?
(四)在solr.in.sh中添加以下内容
SOLR_AUTHENTICATION_CLIENT_CONFIGURER=org.apache.solr.client.solrj.impl.Krb5HttplientConfigurer
SOLR_AUTHENTICATION_OPTS="-Djava.security.auth.login.config=/home/foo/jaas-client.co
nf -Dsolr.kerberos.cookie.domain=192.168.0.107 -Dsolr.kerberos.cookie.portaware=true -Dsolr.kerberos.principal=HTTP/192.168.0.107@EXAMPLE.COM -Dsolr.kerberos.keytab=/keytabs/107.keytab"
对于tomcat的启动方式也一样?
(五)启动solr
bin/solr -c -z server1:2181,server2:2181,server3:2181/solr
tomcat 不是这样子。
二、授权
(一)启用plugin
{
"authentication":{
"class":"solr.BasicAuthPlugin",
"blockUnknown": true,
"credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{"name":"security-edit",
"role":"admin"}]
"user-role":{"solr":"admin"}
}}
(二)授权
curl --user solr:SolrRocks -H 'Content-type:application/json' -d '{
"set-permission": {"name":"collection-mgr",
"collection": null,
"path":"/admin/collections",
"params":{"action":[LIST, CREATE]},
"before": "read",
"role": "admin"}
}' http://localhost:8983/solr/admin/authorization
三、solrJ的认证
To use Kerberos authentication in a SolrJ application, you need the following two lines before you create a SolrClient:
System.setProperty("java.security.auth.login.config", "/home/foo/jaas-client.conf");
HttpClientUtil.setConfigurer(new Krb5HttpClientConfigurer());
You need to specify a Kerberos service principal for the client and a corresponding keytab in the JAAS client configuration file above. Here’s an example:
SolrJClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/keytabs/foo.keytab"
storeKey=true
useTicketCache=true
debug=true
principal="foo@EXAMPLE.COM";
};